[Erp5-report] r8716 - /erp5/trunk/products/ERP5/ERP5Site.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Mon Jul 24 16:35:43 CEST 2006
Author: jerome
Date: Mon Jul 24 16:35:39 2006
New Revision: 8716
URL: http://svn.erp5.org?rev=8716&view=rev
Log:
authentication is not available in before traverse hooks, so we have to do
manual pseudo security check to allow managers to enter arbitrary URLs.
Modified:
erp5/trunk/products/ERP5/ERP5Site.py
Modified: erp5/trunk/products/ERP5/ERP5Site.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5/ERP5Site.py?rev=8716&r1=8715&r2=8716&view=diff
==============================================================================
--- erp5/trunk/products/ERP5/ERP5Site.py (original)
+++ erp5/trunk/products/ERP5/ERP5Site.py Mon Jul 24 16:35:39 2006
@@ -105,14 +105,14 @@
response = request.RESPONSE
http_url = request.get('ACTUAL_URL', '').strip()
http_referer = request.get('HTTP_REFERER', '').strip()
-
- security_manager = AccessControl.getSecurityManager()
- user = security_manager.getUser()
- user_roles = user.getRolesInContext(object)
-
- # Manager can do anything
- if 'Manager' in user_roles:
- return
+
+ user_password = request._authUserPW()
+ if user_password:
+ user = container.acl_users.getUserById(user_password[0]) or\
+ container.aq_parent.acl_users.getUserById(user_password[0])
+ # Manager can do anything
+ if user is not None and 'Manager' in user.getRoles():
+ return
portal_url = container.portal_url.getPortalObject().absolute_url()
if http_referer != '':
@@ -172,7 +172,9 @@
"""
BeforeTraverse.registerBeforeTraverse(self,
ReferCheckerBeforeTraverseHook(),
- ReferCheckerBeforeTraverseHook.handle)
+ ReferCheckerBeforeTraverseHook.handle,
+ # we want to be registered _after_ CookieCrumbler
+ 100)
def _disableRefererCheck(self):
"""Disable the HTTP_REFERER check."""
More information about the Erp5-report
mailing list